wu :: forums (http://www.ocf.berkeley.edu/~wwu/cgi-bin/yabb/YaBB.cgi)
riddles >> suggestions, help, and FAQ >> Error 500 - avoid using "select" "f.r.o.m"
(Message started by: fiziwig on Jan 10th, 2007, 9:30pm)

Title: Error 500 - avoid using "select" "f.r.o.m"
Post by fiziwig on Jan 10th, 2007, 9:30pm
For weeks I've been able to post to other forums, but posting to CS ALWAYS gives me this error:

Error 500

The requested URL http://www.ocf.berkeley.edu/~wwu/cgi-bin/yabb/YaBB.cgi is not available at this time

This URL is in a web site created by one of our users

You can contact that user by sending mail to: wwu@OCF.Berkeley.EDU

Title: Re: Strange posting error
Post by towr on Jan 11th, 2007, 1:29am
That's indeed strange.
It does that no matter what you try to post?

Title: Re: Strange posting error
Post by fiziwig on Jan 11th, 2007, 7:48pm
I'm not sure. I came across an interesting CS algorithm puzzle on the job and tried to post it as a puzzle to the CS forum. I got the 500 error, so I tired again a few hours later and got 500 again, so I tried again a few days later and got 500 again. That's when I noticed I could still post to any other forum, but not to CS. I tried again a week later and could still post anywhere except CS. It's a very odd situation.

Title: Re: Strange posting error
Post by towr on Jan 12th, 2007, 12:11am
Well, if it is what I think it is, it can be tracked down to a single sentence in what you're trying to post. At least that's what happened to me once, months back.
And you wouldn't have more success posting it in the other forums either. I can't quite remember the exact construction that gave me problems though (nor if preview gave the same problem).

Title: Re: Strange posting error
Post by fiziwig on Jan 12th, 2007, 8:50am
Interesting. If that's the case then I should be able to attempt to post the puzzle one sentence at a time until I find out which sentence cannot be posted. (I have the post in a text file from which I can cut and paste individual sentences)

From there, the offending sentence could be re structured in various ways to see if it can be posted in any of the alternate paraphrases. I could also narrow it down to a single word if that is the problem.

Hmmm. This is an interesting puzzle in its own right.

Title: Re: Strange posting error
Post by Grimbal on Jan 12th, 2007, 9:31am
Why don't you post your post in the CS forum, so we can have all have a try at it?  ::)

BTW, if it is at work, it might be your employer has some kind of firewall that is blocking traffic based on keywords.  If any of the words in the post look suspicious the firewall might just drop the connection to the server, and indeed you would get a 500 error.

Title: Re: Strange posting error
Post by fiziwig on Jan 12th, 2007, 1:02pm
I've tried posting it to the CS forum. That's the problem. I've been trying from home with no firewall.

So far I've discovered a certain phrase in the title or body causes the post to fail on any forum. Since I can't actually post that phrase here without causing the post to fail, (I tried it in the body of this post and it crashed) I will give it with asterisks inserted between the letters: S*e*l*e*c*t*i*n*g* f*r*o*m

Title: Re: Strange posting error
Post by fiziwig on Jan 12th, 2007, 1:04pm
The only suspicious thing is that the word "select" and the other word, which I apparently can't mention in the same post, are often used together in SQL database queries. It may be something that is blocking me because it thinks I'm trying to do some kind of database hack.

On Edit: In fact including the word "SELECT" followed by the word spelled F.R.O.M. in the title or body does cause an error 500.

Title: Re: Strange posting error
Post by Icarus on Jan 12th, 2007, 1:48pm
I can't get it to post either. Odd that this hasn't come up more often, but in all the posts I've made, I've never had it occur.

My guess is that you are correct in why it happens, and I suspect it must be a some-what recent change, as I cannot imagine not having heard about it before if it was a long-term rule. Surely with all the long posts people have used the word "select" and then later in the post the word "f.r.o.m" before.

Anyway, since it's likely to happen to other people, I'm making this thread sticky, and changing the subject to alert others as to what the problem is.

Title: Re: Error 500 - avoid using "select" &am
Post by THUDandBLUNDER on Jan 12th, 2007, 2:38pm
A search for those two words also has the same effect.

And this (http://www.ocf.berkeley.edu/~wwu/cgi-bin/yabb/YaBB.cgi?board=riddles_easy;action=display;num=1167945351;start=27#27) post by Icarus was allowed as recently as Jan 10th.

Title: Re: Error 500 - avoid using "select" &qu
Post by fiziwig on Jan 12th, 2007, 6:08pm
Apparently "...from ... select..." is acceptable, but not in the other order.

Title: Re: Error 500 - avoid using "select" &qu
Post by towr on Jan 13th, 2007, 9:49am
My only worry, aside from the annoyance, is whether it's an exploitable bug. If it interferes with the database, someone might damage it.

I think that's why I didn't post it that time I had the problem. I can't recall whether I actually messaged William about it though, only that I intended to.

Title: Re: Error 500 - avoid using "select" &qu
Post by Icarus on Jan 14th, 2007, 5:48pm
I've just had a post rejected for this reason. Fortunately because of this thread I was able to spot the problem and change "selected" to "chosen".

This reinforces my belief that it must be a recent security change - though because of towr's incident, it must be at least a few months old. But it can't have been in place forever - I'm too wordy to have never used those words in the appropriate combination before. :P

Title: Re: Error 500 - avoid using "select" &am
Post by towr on Jan 15th, 2007, 1:39am

on 01/14/07 at 17:48:32, Icarus wrote:
This reinforces my belief that it must be a recent security change - though because of towr's incident, it must be at least a few months old.
It was more than just a few month ago; possibly over a year. Probably it got in with the upgrade of the forum. However for a long time after that I never noticed it again (even though you'd expect it, because the construction isn't that uncommon)

Title: Re: Error 500 - avoid using "select" &am
Post by Grimbal on Jan 15th, 2007, 4:58am
SELECT FR0M

It is due to a bad but common programming practice to build SQL statements from user input by concatenating strings instead of properly quoting the data.
By submitting data that contains a single quote, it is sometimes possible to make your data be interpreted as SQL and executed on the web server. By adding a statement such as  "SELECT * FR0M users", if the data requested in the original statement is displayed, it might also display the list of all registered users and passwords.

Either YaBB or some library it is build on, or maybe a  firewall at Berkeley decided to stop every submissions containing these 2 words.

Funnily, other dangerous combinations such as  INSERT ... INTO or DELETE ... FR0M don't seem to be a problem.

Title: Re: Error 500 - avoid using "select" &am
Post by fiziwig on Jan 15th, 2007, 6:14pm
Clever use of zero for the letter O in FR0M. Of course it looks a little silly in lower case: select fr0m. There's always "fröm" as a way around it too.

Title: Re: Error 500 - avoid using "select" &qu
Post by Sameer on Jan 15th, 2007, 7:00pm
this must be some patch to avoid sql injection ... but i think there should be a better way of inserting a forum post into the server and avoid sql injection... maybe a bug with YABB...

Title: Re: Error 500 - avoid using "select" &am
Post by Eigenray on Jan 15th, 2007, 7:12pm
Or just "select from".

Title: Re: Error 500 - avoid using "select" &qu
Post by Icarus on Jan 15th, 2007, 7:31pm
Heh. Wish I'd thought of that. There's even precedent: towr came up with the same method to show people what codes to use, without those codes being automatically converted - though he used the bold codes.

Title: Re: Error 500 - avoid using "select" &am
Post by Grimbal on Jan 16th, 2007, 1:27am
I tried sel[b][/b]ect from, but somehow it doesn't work.

Title: Re: Error 500 - avoid using "select" &am
Post by towr on Jan 16th, 2007, 2:42am
Tags with nothing between them don't work.
So I always bolded a word or phrase in two parts instead.

Title: Re: Error 500 - avoid using "select" &am
Post by Icarus on Jan 16th, 2007, 1:54pm
Towr's method was: [b]se[/b][b]lect from[/b].
Eigenray's method is se[color=white]l[/color]ect from

Title: Error 500 - avoid using dot dot slash
Post by SMQ on Feb 8th, 2007, 5:47am
Another sequence which generates the same error: ../ (two periods followed by a forward slash) appearing anywhere in the post

--SMQ

Title: Re: Error 500 - avoid using "select" &qu
Post by Eigenray on Oct 2nd, 2007, 10:20pm
Here's one I have no explanation for:

)(|

and variations on the above.

Title: Re: Error 500 - avoid using "select" &am
Post by towr on Oct 2nd, 2007, 11:44pm
?
../
?

Title: Re: Error 500 - avoid using "select" &am
Post by Eigenray on Oct 4th, 2007, 6:37am
It looks like both "select from" and "../" now post with no problem, which is pretty ironic.  Why block ")(|"?



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board